Admin Security
Author Message
This plugin is most likely redundant if you are running MyBB 1.6.4 or later, which (probably) has these features integrated

This plugin is based on a suggestion made by frostschutz a while ago.  MyBB seems to be largely ignorant about it, despite actually being a security vulnerability, and I haven't seen any fixes in the SVN as of yet.  So I have decided to release this patch module as a plugin to anyone worried about the various issues.

This plugin does the following:
  • Prevent arbitrary code execution from the AdminCP templates interface and from importing themes
  • Prevent admins from getting the database password
  • Hides non-forum related tables in the backup database page
Note that this plugin does not work on multi-DB server setups (if you don't know what this is, you probably don't have one).


For obvious reasons, don't use this with the PHP in Templates plugin!  You may, however, use this with the Template Conditionals plugin.
(This post was last modified: 07-27-2011 07:11 PM by ZiNgA BuRgA.)
Find all posts by this user
Quote this message in a reply
Download: admsec.php (5.7 KB)
Plugin Version: 1.02
Last Updated: 07-01-2010, 10:56 AM

Downloads: 722
MyBB Compatibility: 1.4.x, 1.6.x
Plugin License: WTFPLv2
Uploader: ZiNgA BuRgA
Pirata Nervo Offline
Member
***
Posts: 235
Joined: Jan 2008
Post: #2
RE: Admin Security
Haven't looked at the code yet but what do you mean by "Prevent admins from getting the database password", how do you prevent it?
I'm glad someone decided to "fix" the issue though, thanks for sharing!
05-20-2010 06:56 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,338
Joined: Jan 2008
Post: #3
RE: Admin Security
Unset the password from the $mybb->config array.  It's not needed once the DB connection is actually made.

My Blog
05-20-2010 08:49 AM
Find all posts by this user Quote this message in a reply
Pirata Nervo Offline
Member
***
Posts: 235
Joined: Jan 2008
Post: #4
RE: Admin Security
Oh all right, I wonder why that's not part of the code though
05-21-2010 04:37 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,338
Joined: Jan 2008
Post: #5
RE: Admin Security
Cause they're freaking stoopid.

My Blog
05-21-2010 08:03 AM
Find all posts by this user Quote this message in a reply
darkly Offline
Junior Member
**
Posts: 4
Joined: May 2010
Post: #6
RE: Admin Security
lol at the 'WTFPLv2' license. Tongue
05-22-2010 12:36 AM
Find all posts by this user Quote this message in a reply
Pirata Nervo Offline
Member
***
Posts: 235
Joined: Jan 2008
Post: #7
RE: Admin Security
Just seen the control_object function, did you code it? Or does it come with PHP? That's something I've been looking for, for ages!
05-22-2010 05:26 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,338
Joined: Jan 2008
Post: #8
RE: Admin Security
Yes, I wrote that myself.  I've been using it for ages in plugins like PHP in Templates (just not explicitly done as a nice to use function).  There's no equivalent PHP function.

My Blog
(This post was last modified: 05-22-2010 08:53 AM by ZiNgA BuRgA.)
05-22-2010 08:51 AM
Find all posts by this user Quote this message in a reply
Pirata Nervo Offline
Member
***
Posts: 235
Joined: Jan 2008
Post: #9
RE: Admin Security
Okay, would you mind if I used it for personal tests only?
05-22-2010 11:17 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA Offline
Fag
*******
Posts: 3,338
Joined: Jan 2008
Post: #10
RE: Admin Security
You can use it as per the license Tongue

My Blog
05-22-2010 12:16 PM
Find all posts by this user Quote this message in a reply


Forum Jump: